Support setting loadBalancerClass in Seed and ExposureClass (gardener#13305)

Author: timebertt

docs/api-reference/core.md

@@ -11421,6 +11421,19 @@ SeedSettingLoadBalancerServicesZonalIngress
 Defaults to true.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>class</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Class configures the Service.spec.loadBalancerClass field for the load balancer services on the seed.
+Note that changing the loadBalancerClass of existing LoadBalancer services is denied by Kubernetes.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="core.gardener.cloud/v1beta1.SeedSettingLoadBalancerServicesZonalIngress">SeedSettingLoadBalancerServicesZonalIngress

docs/operations/seed_settings.md

@@ -72,6 +72,13 @@ In most cases, the cloud-controller-manager (responsible for managing these load
 
 By setting the `.spec.settings.loadBalancerServices.annotations` field the Gardener administrator can specify a list of annotations, which will be injected into the `Service`s of type `LoadBalancer`.
 
+### Load Balancer Class
+
+By default, Gardener creates `Services` without the `spec.loadBalancerClass` field set, meaning that the default load balancer implementation of the underlying cloud infrastructure is used (implemented by the `Service` controller of cloud-controller-manager).
+If a non-default load balancer implementation should be used for load balancer services in the seed cluster, the `spec.settings.loadBalancerServices.loadBalancerClass` field can be configured accordingly to set the `spec.loadBalancerClass` on the created `Service` objects.
+Note that changing the `loadBalancerClass` of existing load balancer services is denied by Kubernetes, i.e., this setting can only be applied automatically to newly created load balancer services.
+If an existing load balancer service should use a different load balancer class, the migration needs to be performed manually by the operator.
+
 ### External Traffic Policy
 
 Setting the [external traffic policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) to `Local` can be beneficial as it

docs/usage/networking/exposureclasses.md

@@ -128,6 +128,7 @@ exposureClassHandlers:
       loadbalancer/network: internet
 - name: internal-config
   loadBalancerService:
+    class: internal-loadbalancer
     annotations:
       loadbalancer/network: internal
   sni:
@@ -146,6 +147,11 @@ The load balancer service needs to be configured in a way that it is reachable f
 Therefore, the configuration of load balancer service need to be specified, which can be done via the `.loadBalancerService` section.
 The common way to influence load balancer service behaviour is via annotations where the respective cloud-controller-manager will react on and configure the infrastructure load balancer accordingly.
 
+To select a non-default load balancer implementation, the `class` field can be set to configure the `spec.loadBalancerClass` on the created `Service` objects.
+If the `class` field is unset, `spec.loadBalancerClass` is not configured and the default load balancer implementation of the underlying cloud infrastructure is used (implemented by the `Service` controller of cloud-controller-manager).
+Note that changing the `loadBalancerClass` of existing load balancer services is denied by Kubernetes, i.e., this setting can only be applied automatically to newly created load balancer services.
+If an existing load balancer service should use a different load balancer class, the migration needs to be performed manually by the operator.
+
 The control planes on a `Seed` will be exposed via a central load balancer and with Envoy via TLS SNI passthrough proxy.
 In this case, the gardenlet will install a dedicated ingress gateway (Envoy + load balancer + respective configuration) for each handler on the `Seed`.
 The configuration of the ingress gateways can be controlled via the `.sni` section in the same way like for the default ingress gateways.

example/50-seed.yaml

@@ -93,6 +93,7 @@ spec:
   # loadBalancerServices:
   #   annotations:
   #     foo: bar
+  #   class: non-default-load-balancer-class
   #   externalTrafficPolicy: Local
   #   proxyProtocol:
   #     allowed: true

pkg/apis/core/types_seed.go

@@ -267,6 +267,9 @@ type SeedSettingLoadBalancerServices struct {
 	// ZonalIngress controls whether ingress gateways are deployed per availability zone.
 	// Defaults to true.
 	ZonalIngress *SeedSettingLoadBalancerServicesZonalIngress
+	// Class configures the Service.spec.loadBalancerClass field for the load balancer services on the seed.
+	// Note that changing the loadBalancerClass of existing LoadBalancer services is denied by Kubernetes.
+	Class *string
 }
 
 // SeedSettingLoadBalancerServicesZones controls settings, which are specific to the single-zone load balancers in a